Integration of Sendmail, PostgreSQL, SASL, and TLS
June 28th, 2002
Greetings, this is a HOW-TO compendium for the integration of Sendmail using version 8.12.5, PostgreSQL, SASL, and TLS. This combination allows you to maintain the majority of your sendmail data in SQL tables for instant updates without the need to restart or signal sendmail in any fashion and for authentication/encryption. Some data remains in static text files, that's a twofold issue, 1) I haven't felt like doing it and 2) it rarely changes. One of these days I will indeed get around to making everything SQL tables. If you are familiar with SQL, this will be a breeze for you. If not, it is a learning experience. Later in this document I have provided a sample psql schema for creating a template set of tables.
The two other parts which are involved here are SASL and TLS. SASL is used for login, secret, or realm based authentication, and TLS is used to encrypt the MTA session. TLS support is provided by utilizing SSL functions. The SASL login provision lets your MUA or another MTA authenticate as a valid authorized connection. This is normally used for two purposes, authorization to use the mail server and the subsequently, authorization can permit RELAY use of the server. SASL can be a bit of a hassle to understand and install, hopefully this guide will get you going in the right direction. TLS allows the session to be encrypted. No more snooping of mail as it is being delivered to the MTA.
Acknowledgment to David for nudging me into fixing some things and to Jonathan Yarden who had the first PostgreSQL patch I found. I have rewritten most of his original patch (you can find his at http://www.missing.net/). My patch implements connection caching and connection sharing which means there will at most only be one connection per sendmail child to the sql server as long as the host and connection strings match. Faster startups and faster processing with less resource consumption means happier servers.
Notes, introductory reading, and odd resources; this Blue Labs sendmail patch is CASE SENSITIVE; username 'Joe' is different from 'joe'. Edit the bluelabs.mc file if you don't want this feature. Introductory reading links -- highly recommended. This web page in no way does justice in attempting to explain much of anything. It started out as a notepad for my efforts to integrate pgsql and turned into a reference page for others. I don't attempt to address any theoretical or practical discussions about the technologies involved, only a summarized list of integration instructions.
References
- General email page by Claus Aßmann
- Sendmail Auth by Claus Aßmann
- Sial.org Sendmail Configurations & Documentation.
- Lutz's Postfix based page on being your own CA by Lutz Jänicke
- OpenCA
- Perl CGI to load certs into your browser via web
- Webpage for generating and loading Mozilla/Netscape based certs
- Webpage for generating and loading Microsoft based certs
Prerequisite Packages
- Sendmail [ver 8.12.5]
- Installation of PostgreSQL [ver 7.1+] and SQL table preparation
- Installation of OpenSSL Libraries and tools [ver 0.9.6+] and key preparation (required for TLS)
- Installation of Sleepycat (Berkeley) DB [ver 3.2+] (used by SASL)
- Installation of CMU SASL Library [ver 1.5.24+] and configuration preparation (required for authentication)
Recommended Packages
- Installation of ISC BIND [ver 9.1.1+]
Patches and related files
- Blue Labs composite patch file
- Blue Labs bluelabs.mc file (this is included in the patch file)
- PostgreSQL schema file for creating the example template
- PostgreSQL initial values file for adding the initial table values
Compiling Steps | |
---|---|
Getting started |
The assumption is made that you have all the requisite packages, your compiler works, etc. I also assume you know how to untar, uncompress, patch, etc.
I suggest placing the patch in /tmp and putting the sendmail source in /usr/src/sendmail-X.X.X as these are the locations I will be referencing. |
Unpacking, patching | Untar sendmail source and apply the patch.
|
Tuning | Edit the bluelabs.mc file and any other site specific files you normally edit for your tailored configuration. Look over the bluelabs.mc and if necessary, alter your runtime parameters. In particular you need to make sure your map rules point to your pgsql server. Be sure the PROCMAIL_MAILER_PATH points to the right location for procmail or your desired local mailer. The generated sendmail.cf is designed to be generic and fit right into place without any editing and I strongly recommend against direct editing of the sendmail.cf file. All your specific domain configuration should be in the static text files and SQL tables. |
Building | First compile the binaries, then build the configuration file. |
Installation Steps | |
---|---|
Install files | First you need to add the user/group pair of smmsp to /etc/passwd and /etc/group -- or whatever authentication setup you have.
|
Directories | For each of the following directories, create it and give it root:root ownership with mode 755 (normally default).
|
Files | Note: If you wish to collect statistics about your mail traffic, you should create the file /etc/mail/sendmail.st.
|
Configuration Steps | |
---|---|
Getting started | There are four main areas of configuration, Sendmail, PostgreSQL, TLS, and SASL. I'll cover each in turn. |
Sendmail flat files | |
Local domains | Add all domains you receive mail for to /etc/mail/local-host-names. Do not add domains that you only relay for; for example, domains that do not get delivered to a local mailbox but get forwarded somewhere else, i.e. as a secondary MX service. |
Trusted users | Add your trusted users to /etc/mail/trusted-users |
Masquerade | If you intend to forcibly masquerade hostnames, add those host names to the /etc/mail/maquerade-these-as-me file. |
SASL | |
Configuration and DB | I will assume you installed SASL in /usr/lib/sasl. When sendmail is linked with SASL capability, it looks for a configuration file using it's name. The filename it looks for is Sendmail.conf.
|
TLS | |
Certificates | I am also assuming you have previously installed OpenSSL and have a working setup. If not, please use my link above for instructions on how to install and setup an initial ssl configuration. In the certificate creation steps, be sure to specify the hostname of your mail server as the Common Name.
|
Sendmail SQL tables in PostgreSQL | |
Creating | These steps assume you have properly installed PostgreSQL and it is currently in operation and you have granted proper host/user permissions to connect to the SQL server.
|
Access (hints) |
See my page on the access table for ideas on how to utilize the available keywords. |
Aliases |
Make sure that if you choose case sensitive email addressing as is by default in my patch, that you also support 'mailer-daemon', etc. If you don't accept email for the required users, you are likely to end up at http://www.rfc-ignorant.org/ and your mail will be blacklisted. |
Virtualusers | The virtualusers map lets you rewrite email addresses. You can rewrite the username, the hostname, direct all email for a given domain to a single user, or play numerous other tricks. This is a set of example rewrite rules, please read the sendmail documentation for more ideas.
|
MX Relay | For all domains that you act as an MX relay for (secondary MX), you need to make sure that for each domain you have (a) an access rule such as 'domain.com','RELAY' in the access table, and (b) if you use wildcard MX records (e.g. one MX per domainan), then you need a mailertable entry such as 'domain.com', 'esmtp:mail.original.com' that points mail for 'domain.com' to the primary MX. If you don't do this and you use wildcard MX records, mail will bounce very fast through all the listed secondary MX records and within a minute or two will have exceeded the maximum number of hops and will be dropped.
|
Client Configuration Steps | |
---|---|
Mozilla and Netscape | Edit your SMTP settings and enable the following, exact wording will vary:
Here is a picture [example] |
Outlook | DO NOT enable SPA.
|
Testing and Example Output |
---|